Access management systems use various techniques including various authentication mechanisms to secure access to resources. The security provided by an access management system may be further increased by using multi-factor authentication mechanisms. For example, on mobile devices, one time passwords (OTP) are commonly used for second factor authentication. As part of the authentication process, an OTP value is sent to a user's device whenever the user tries to access a protected resource. The user is then asked to provide the OTP value to complete the authentication. The success and security associated with using an OTP for authentication is however based on the assumption that the true user is in possession of the user's device to which the OTP is sent. This assumption is however compromised when the particular device is lost or falls into the hands of an “attacker.” For example, the attacker may use the OTP to gain access to the protected resource. The attacker may even use the OTP to reset the true user's password, and thus compromise various secure flows. One way to protect against this is to use challenge questions. The problem with challenge questions is that they are typically quite generic, and thus their answers may be easily guessed. If the challenge questions are too complicated, their answers are easily forgotten.